[Dshield] Database Integrity?

Dan Crooks dcrooks at succeed.net
Sat Mar 10 12:07:22 GMT 2001


I don't read this list often so I am sorry if this is re-hashing old news.
I received a call yesterday from a government agency that specializes in
tracking computer
intrusion detection.  They were inquiring about activities that reports
showed originated from my IP.  This agency received a report that originated
from DShield
sources that showed a couple of dates back in January my IP was the #1
attacker.

At first I thought my machine had been hacked and someone was using it to
scan other machines without my knowledge.  I had not noticed anything that
would indicate
I had been hacked.  I could find no trace of any intrusion.  Then I thought
that maybe my submissions to the database at Dshield had gotten reversed
making me the attacker instead of the attacked.  Using the search tool on
DShield I was unable to determine much of anything useful.

Luckily I keep all my submission reports to DShield.  I reviewed the dates
in question and discovered that on those dates I had run port scans on my
machine
using nmap to look for weaknesses in my own system.  The log I submitted to
DShield shows the same IP as attacker and attackee!!

If government agencies are going to use DShield reports to track attackers
there has got to be some way to prevent this kind of mistake.  Had this
agency
decided to seize my equipment based on the information they received from
DShield it would have smeared the whole DShield project.  Error checking
must
be accomplished on reports submitted to DShield BEFORE being written to the
database, otherwise the database is useless.

If DShield receives reports that contain the same IP for both inbound and
outbound it should NOT add them to the database?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010310/8389a1be/attachment.htm


More information about the list mailing list